VPN tunnel negotiates but only when triggered from one side and IKE/IPSec SA delete request

Posted on 2012-08-25
Last Modified: 2012-08-26
Hi All,

I have made some big changes to our network infrastructure today as we are due to take over another floor in our building (we've only had one so far).

The relevant changes are the introduction of a Layer 3 switch (as we need to start using VLANs) and the switch from our SonicWall TZ190 to two SonicWall NSA200 (HA solution). The Layer 2 switches were replaced as well.
The SonicWall has got a virtual sub interface set up and assigned to the LAN interface (x0) - this is solely used for wireless.

The connectivity between the floors is fine, the connectivity within the network is fine - my only issue is one VLAN tunnel which initially didn't connect.

We are connecting to a Cisco firewall in a data centre in London via a VPN tunnel from our SonicWall.
This has worked until I changed it over today - all existing rules were copied so there shouldn't be a problem with those.
I tried to connect to the remote servers but a connection couldn't be established. There was only one attempt to establish the VPN tunnel in the log files

IKE responder received main mode request (Phase 1)
IKE responder: Main mode complete (Phase 1)
Received IPSec SA delete request
Received IKE SA delete request

No further attempts anymore after this initial one.

I have then connected to a computer in a remote office which has got a VPN tunnel to the remote firewall set up successfully and from there to our remote servers.
From the remote servers I pinged our internal network (a server in the office network that doesn't connect) and this has triggered the VPN tunnel negotiation as well as a successful connection. I can now RDP to the remote servers from the computers that couldn't previously connect.

[edit] The tunnel has just dropped again after another IKE/IPSec delete request... [\edit]

[edit 2] I've just received the log file entry from our data centre hoster for the time of the disconnection. Keep alive is enabled in the VPN settings...

Aug 25 18:48:07 xxx: IP = 141.x,x,x, Keep-alives configured on but peer does not support keep-alives (type = None)

Aug 25 18:52:23 xxx: Group = 141.x.x.x, IP = 141.x.x.x, Connection terminated for peer 141.x.x.x.  Reason: IPSec SA Idle Timeout  Remote Proxy, Local Proxy

Aug 25 18:54:57 xxx: Group = 141.x.x.x, Username = 141.x.x.x, IP = 141.x.x.x, Session disconnected. Session Type: IPsec, Duration: 0h:42m:51s, Bytes xmt: 146067, Bytes rcv: 227970, Reason: Idle Timeout

Aug 25 18:54:57 xxx: Group = 141.x,x,x, IP = 141.x,x,x, Connection terminated for peer 141.x,x,x.  Reason: IPSec SA Idle Timeout  Remote Proxy, Local Proxy

There's obviously something wrong but what?

Please let me know what more info you require and I'll post it for you.

Thank you!
Question by:Minime85

    Accepted Solution

    Right, by the looks of it turning it off and on again has worked miracles. I'll confirm tomorrow if it's still working!

    Author Closing Comment

    That's still up - the reboot has fixed it

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
    If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now